From 67bbad8ca5a0da10b26977a558328ac9c54f50c1 Mon Sep 17 00:00:00 2001 From: stephenjust Date: Wed, 26 Sep 2012 18:43:58 +0000 Subject: [PATCH] [stkaddons] Rewrote "access denied" page to be less annoying to code around --- about.php | 1 - addons-panel.php | 3 +- addons.php | 2 +- cron/daily.php | 1 - cron/weekly.php | 1 - error.php | 1 - generate_xml.php | 1 - image.php | 1 - include.php | 8 +-- include/AccessControl.class.php | 101 ++++++++++++++++++++++++++++++++ include/File.class.php | 11 ++++ include/User.class.php | 19 ++++++ include/addRating.php | 3 +- include/security.php | 89 ---------------------------- index.php | 2 +- login.php | 1 - manage-panel.php | 3 +- manage.php | 2 +- password-reset.php | 1 - register.php | 1 - reports/addon_records.php | 1 - reports/clients.php | 1 - reports/files.php | 1 - tpl/default/access-denied.tpl | 29 +++++++++ upload.php | 2 +- users-panel.php | 3 +- users.php | 2 +- 27 files changed, 174 insertions(+), 117 deletions(-) create mode 100644 include/AccessControl.class.php delete mode 100755 include/security.php create mode 100644 tpl/default/access-denied.tpl diff --git a/about.php b/about.php index 7d15d74d..05364a93 100644 --- a/about.php +++ b/about.php @@ -28,7 +28,6 @@ ***************************************************************************/ define('ROOT','./'); -$security =""; include('include.php'); Template::setFile('about.tpl'); diff --git a/addons-panel.php b/addons-panel.php index a7d4c1b6..d685f3f9 100755 --- a/addons-panel.php +++ b/addons-panel.php @@ -25,8 +25,7 @@ Description: page who is called in ajax and who give kart and track informations ***************************************************************************/ -if (!isset($security)) - $security =""; + if (!defined('ROOT')) define('ROOT','./'); include_once('include.php'); diff --git a/addons.php b/addons.php index 1023fdf2..78c53aac 100644 --- a/addons.php +++ b/addons.php @@ -26,7 +26,7 @@ Description: index page ***************************************************************************/ -$security =""; + define('ROOT','./'); include("include.php"); $_GET['type'] = (isset($_GET['type'])) ? $_GET['type'] : NULL; diff --git a/cron/daily.php b/cron/daily.php index bf0793fb..b0bac59d 100644 --- a/cron/daily.php +++ b/cron/daily.php @@ -20,7 +20,6 @@ define('ROOT','../'); define('CRON',1); -$security = ''; require (ROOT.'include.php'); File::deleteQueuedFiles(); diff --git a/cron/weekly.php b/cron/weekly.php index 2a6e6c40..7d363b68 100644 --- a/cron/weekly.php +++ b/cron/weekly.php @@ -19,7 +19,6 @@ */ define('ROOT','./web/'); -$security = ''; require (ROOT.'include.php'); log_email(); diff --git a/error.php b/error.php index c7dc4ecf..844e47c0 100644 --- a/error.php +++ b/error.php @@ -34,7 +34,6 @@ } define('ROOT','./'); -$security =""; require('include.php'); include('include/top.php'); echo ''; diff --git a/generate_xml.php b/generate_xml.php index ac389026..4b5a6046 100644 --- a/generate_xml.php +++ b/generate_xml.php @@ -19,7 +19,6 @@ */ define('ROOT','./'); -$security = ''; include_once('include.php'); $xml = writeNewsXML(); diff --git a/image.php b/image.php index 7ded4310..5b924396 100644 --- a/image.php +++ b/image.php @@ -17,7 +17,6 @@ stkaddons. If not, see . */ define('ROOT','./'); -$security=''; include('include.php'); resizeImage($_GET['pic']); diff --git a/include.php b/include.php index efed8307..6aa08176 100644 --- a/include.php +++ b/include.php @@ -19,6 +19,7 @@ */ require(ROOT.'config.php'); +require_once(ROOT.'include/AccessControl.class.php'); require_once(ROOT.'include/Template.class.php'); require(ROOT.'include/Constants.php'); require(ROOT.'include/exceptions.php'); @@ -26,7 +27,7 @@ require(ROOT.'include/Cache.class.php'); require(ROOT.'include/ConfigManager.php'); require(ROOT.'include/Validate.class.php'); -require(ROOT.'include/File.class.php'); +require_once(ROOT.'include/File.class.php'); require(ROOT.'include/SImage.class.php'); require(ROOT.'include/SMail.class.php'); require(ROOT.'include/News.class.php'); @@ -34,10 +35,9 @@ require(ROOT.'include/Addon.class.php'); require(ROOT.'include/AddonViewer.class.php'); require(ROOT.'include/locale.php'); -require(ROOT.'include/sql.php'); -require(ROOT.'include/User.class.php'); +require_once(ROOT.'include/sql.php'); +require_once(ROOT.'include/User.class.php'); require(ROOT.'include/Ratings.class.php'); -require(ROOT.'include/security.php'); require(ROOT.'include/coreUser.php'); require(ROOT.'include/image.php'); require(ROOT.'include/statistics.php'); diff --git a/include/AccessControl.class.php b/include/AccessControl.class.php new file mode 100644 index 00000000..9f7125d1 --- /dev/null +++ b/include/AccessControl.class.php @@ -0,0 +1,101 @@ + + * + * This file is part of stkaddons + * + * stkaddons is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * stkaddons is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with stkaddons. If not, see . + */ + +require_once(ROOT.'include/sql.php'); +require_once(ROOT.'include/File.class.php'); +require_once(ROOT.'include/User.class.php'); + +class AccessControl { + // Define permission levels + private static $permissions = array( + 'basicUser' => array( + 'basicPage' => true, + 'addAddon' => true, + 'manageaddons' => false, + 'managebasicUsers' => false, + 'managemoderators' => false, + 'manageadministrators' => false, + 'manageroots' => false, + 'managesettings' => false + ), + 'moderator' => array( + 'basicPage' => true, + 'addAddon' => true, + 'manageaddons' => true, + 'managebasicUsers' => true, + 'managemoderators' => false, + 'manageadministrators' => false, + 'manageroots' => false, + 'managesettings' => false + ), + 'administrator' => array( + 'basicPage' => true, + 'addAddon' => true, + 'manageaddons' => true, + 'managebasicUsers' => true, + 'managemoderators' => true, + 'manageadministrators' => false, + 'manageroots' => false, + 'managesettings' => true + ), + 'root' => array( + 'basicPage' => true, + 'addAddon' => true, + 'manageaddons' => true, + 'managebasicUsers' => true, + 'managemoderators' => true, + 'manageadministrators' => true, + 'manageroots' => true, + 'managesettings' => true + ) + ); + + public static function setLevel($accessLevel) { + $role = User::getRole(); + if (is_null($accessLevel)) return true; + + $allow = false; + if ($role == 'unregistered' && $accessLevel == NULL) { + $allow = true; + } elseif ($role == 'unregistered') { + $allow = false; + } else + $allow = AccessControl::$permissions[$role][$accessLevel]; + + if ($allow === false) + AccessControl::showAccessDeniedPage(); + } + + public static function showAccessDeniedPage() { + header('HTTP/1.0 401 Unauthorized'); + Template::setFile('access-denied.tpl'); + $fields = array( + 'ad_reason' => htmlspecialchars(_('You do not have permission to access this page.')), + 'ad_action' => htmlspecialchars(_('You will be redirected to the home page.')), + 'ad_redirect_url' => File::rewrite('index.php') + ); + + Template::assignments($fields); + Template::display(); + + exit; + } +} +?> diff --git a/include/File.class.php b/include/File.class.php index b1334933..1d5666b5 100644 --- a/include/File.class.php +++ b/include/File.class.php @@ -701,4 +701,15 @@ public static function link($href, $label) { } } +function cryptUrl($nbr) +{ + $str = ""; + $chaine = "abcdefghijklmnpqrstuvwxy"; + srand((double)microtime()*1000000); + for($i=0; $i<$nbr; $i++) + { + $str .= $chaine[rand()%strlen($chaine)]; + } + return $str; +} ?> diff --git a/include/User.class.php b/include/User.class.php index 3bbd2447..82576e29 100755 --- a/include/User.class.php +++ b/include/User.class.php @@ -263,6 +263,25 @@ public static function register($username, $password, $password_conf, $email, $n } Log::newEvent("Registration submitted for user '$username'"); } + + /** + * Get the role of the current user + * @return string Role identifier + */ + public static function getRole() { + if (!User::$logged_in) { + return 'unregistered'; + } else { + $query = 'SELECT `role` + FROM `'.DB_PREFIX.'users` + WHERE `user` = \''.mysql_real_escape_string($_SESSION['user']).'\''; + $handle = sql_query($query); + if (!$handle) return 'unregistered'; + + $result = mysql_fetch_array($handle); + return $result[0]; + } + } } User::init(); diff --git a/include/addRating.php b/include/addRating.php index 981d128d..34af3f53 100644 --- a/include/addRating.php +++ b/include/addRating.php @@ -20,8 +20,9 @@ session_start(); define('ROOT','../'); -$security = ""; include_once('../include.php'); +AccessControl::setLevel('basicPage'); + if (!isset($_GET['addonId'])) die('No addon.'); if (!User::$logged_in) diff --git a/include/security.php b/include/security.php deleted file mode 100755 index 9840ba39..00000000 --- a/include/security.php +++ /dev/null @@ -1,89 +0,0 @@ - - * - * This file is part of stkaddons - * - * stkaddons is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * stkaddons is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with stkaddons. If not, see . - */ -?> - - - - - -
- -
- - - - - - - - -
- -
- - - - diff --git a/index.php b/index.php index 9a35792d..d1f8cff6 100755 --- a/index.php +++ b/index.php @@ -27,8 +27,8 @@ ***************************************************************************/ define('ROOT','./'); -$security =""; require('include.php'); +AccessControl::setLevel(NULL); Template::setFile('index.tpl'); // I18N: Website meta description diff --git a/login.php b/login.php index ceece490..52049b29 100755 --- a/login.php +++ b/login.php @@ -27,7 +27,6 @@ ***************************************************************************/ define('ROOT','./'); -$security = ""; include(ROOT.'include.php'); // define possibly undefined variables diff --git a/manage-panel.php b/manage-panel.php index e9d88490..6eb9caaa 100644 --- a/manage-panel.php +++ b/manage-panel.php @@ -20,9 +20,8 @@ if (!defined('ROOT')) define('ROOT','./'); -if (!isset($security)) - $security = 'manageaddons'; require_once('include.php'); +AccessControl::setLevel('manageaddons'); if (!isset($_GET['action'])) $_GET['action'] = NULL; diff --git a/manage.php b/manage.php index 5927c825..2655ea0c 100644 --- a/manage.php +++ b/manage.php @@ -19,8 +19,8 @@ */ define('ROOT','./'); -$security = 'manageaddons'; require('include.php'); +AccessControl::setLevel('manageaddons'); $title = htmlspecialchars(_('STK Add-ons').' | '._('Manage')); diff --git a/password-reset.php b/password-reset.php index 1e24a451..4dbe50a3 100755 --- a/password-reset.php +++ b/password-reset.php @@ -20,7 +20,6 @@ */ define('ROOT','./'); -$security =""; include('include.php'); Template::setFile('password-reset.tpl'); diff --git a/register.php b/register.php index 10a1ed14..ca54998c 100755 --- a/register.php +++ b/register.php @@ -20,7 +20,6 @@ */ define('ROOT','./'); -$security =""; include('include.php'); $title = htmlspecialchars(_('STK Add-ons').' | '._('Register')); include(ROOT.'include/top.php'); diff --git a/reports/addon_records.php b/reports/addon_records.php index 78132aa4..00c0eabf 100644 --- a/reports/addon_records.php +++ b/reports/addon_records.php @@ -19,7 +19,6 @@ */ define('ROOT','../'); -$security = ""; include(ROOT.'include.php'); include(ROOT.'include/Report.class.php'); diff --git a/reports/clients.php b/reports/clients.php index f6f759d1..a20874a7 100644 --- a/reports/clients.php +++ b/reports/clients.php @@ -19,7 +19,6 @@ */ define('ROOT','../'); -$security = ""; include(ROOT.'include.php'); include(ROOT.'include/Report.class.php'); diff --git a/reports/files.php b/reports/files.php index 909439f7..0ee719d3 100644 --- a/reports/files.php +++ b/reports/files.php @@ -19,7 +19,6 @@ */ define('ROOT','../'); -$security = ""; include(ROOT.'include.php'); include(ROOT.'include/Report.class.php'); diff --git a/tpl/default/access-denied.tpl b/tpl/default/access-denied.tpl new file mode 100644 index 00000000..c7c2f233 --- /dev/null +++ b/tpl/default/access-denied.tpl @@ -0,0 +1,29 @@ +{config_load file="tpl/default/tpl.conf"} + + + {$title|default:"Access Denied"} + + + + +
+

{$ad_reason}

+

{$ad_action}

+
+ + \ No newline at end of file diff --git a/upload.php b/upload.php index 5d853e9a..02d45610 100755 --- a/upload.php +++ b/upload.php @@ -19,8 +19,8 @@ */ define('ROOT','./'); -$security = 'addAddon'; include('include.php'); +AccessControl::setLevel('addAddon'); require_once(ROOT.'include/Upload.class.php'); include('include/top.php'); diff --git a/users-panel.php b/users-panel.php index e545961f..909f2002 100755 --- a/users-panel.php +++ b/users-panel.php @@ -28,11 +28,10 @@ Description: page who is called in ajax and who give user informations ***************************************************************************/ -if (!isset($security)) - $security =""; if (!defined('ROOT')) define('ROOT','./'); include_once('include.php'); +AccessControl::setLevel('basicPage'); if (!isset($_GET['id'])) $_GET['id'] = NULL; diff --git a/users.php b/users.php index 8f5649e2..93fdc218 100644 --- a/users.php +++ b/users.php @@ -28,9 +28,9 @@ Description: people ***************************************************************************/ -$security = 'basicPage'; define('ROOT','./'); include('include.php'); +AccessControl::setLevel('basicPage'); $_GET['user'] = (isset($_GET['user'])) ? mysql_real_escape_string($_GET['user']) : mysql_real_escape_string($_SESSION['user']); $action = (isset($_GET['action'])) ? $_GET['action'] : NULL;